A Lightbulb Worm?A teardown of the Philips Hue.
Colin O’Flynn(with special appearance by Eyal Ronen)
Black Hat USA 2016. Las Vegas, N.V. August 3-4, 2016. Presentation revision 19-July-2016.
Demo by Eyal Ronen
See http://www.wisdom.weizmann.ac.il/~eyalro/
[Log,Info,ConnectedLamp,MCUCR=0x00,LockBits=0xFC,LowFuse=0xF6,HighFuse=0x9
A,ExtFuse=0xFE]
[Log,Info,ConnectedLamp,devsig=0x1EA803]
[Log,Info,S_DeviceInfo,Booting into normal mode...]
[Log,Info,S_DeviceInfo,DeviceId: Bulb_A19_DimmableWhite_v2]
[Log,Info,N_Security,LIB4.5.75]
[Log,Info,N_Security,KeyBitMask,0x0012]
[Log,Info,ConnectedLamp,Platform version 0.41.0.1,package_ZigBee
117,package_BC_Stack 104,svn 26632]
[Log,Info,ConnectedLamp,Product version WhiteLamp-Atmel 5.38.1.15095,built
by LouvreZLL]
[Log,Info,A_Commissioning,Factory New at Ch: 11]
[TH,Ready,0]
a.Hold SPI line low, notice ASSERT printed matches same name-types used (NVs)b.Can find same print statements
[TH,Ready,0][Log,Info,N_Connection,Starting discovery for updated networks][Log,Info,N_Connection,Discovery for updated networks completed]
http://xxx/firmware/HUE0100/66013452/ConnectedLamp-Target_0012_13452_8D.sbl-ota
http://xxx/firmware/BSB001/1030262/firmware_rel_cc2530_encrypted_stm32_encrypted_01030262_0012.fw
[Log,Info,S_DeviceInfo,Booting into normal mode...]
[Log,Info,S_DeviceInfo,DeviceId: IpBridge]
[Log,Info,N_Security,LIB4.4.52]
[Log,Info,N_Security,KeyBitMask,0x0012]
[Log,Info,A_Bridge,Platform version 0.25.0,package_ZigBee 8720,package_Z_Stack
8720,built by LouvreZLL]
[Log,Info,A_Bridge,Product version 5.7.1,SmartBridge 11393,built by LouvreZLL]
[Bridge,Version,5.7.1,SmartBridge 11393,built by LouvreZLL]
[Bridge,GroupRange,0x5357,0x5367]
[Log,Info,D_Led,dc 16]
[Bridge,NetworkSettings,False,0xB163,26DF52A183D85889,11,0,S=0x0001]
[Log,Info,A_Bridge,NwkAddr: 0x0001, Ch: 11, Pan: 0xB163, NwkUpdId: 0,
ExtPanID:26:DF:52:A1:83:D8:58:89]
[Log,Info,D_Led,dc 16]
[TH,Ready,0]
[Connection,A]
[Connection,GetAddress,L=00:17:88:01:01:07:BF:FC,S=0x0001.0]
[Bridge,StoreGroupRange,0]
[Log,Info,N_ConnectionRouter,Startup network discovery...]
[Connection,GetAddress]
[Bridge,StoreGroupRange,0x5357,0x5367]
[Zcl,S,S=0x0002.11,6,0000000000]
[Routing,ClearEntry,1]
[Routing,SendMtoRR,True]
[Zcl,S,S=0x0003.11,6,0001000000]
[Routing,ClearEntry,2]
[Routing,SendMtoRR,True]
[Zcl,S,S=0x0002.11,6,0002000000]
[Zcl,S,S=0x0003.11,6,0003000000]
[Zcl,S,S=0x0002.11,6,0004000000]
ath> setenv bootdelay 3
ath> printenv security
***COPY THE DEFAULT VALUE THAT WAS PRINTED & SAVE THIS SOMEWHERE**
ath> setenv security '$5$wbgtEC1iF$ugIfQUoE7SNg4mplDI/7xdfLC7jXoMAkupeMsm10hY9'
ath> printenv security
security=$5$wbgtEC1iF$ugIfQUoE7SNg4mplDI/7xdfLC7jXoMAkupeMsm10hY9
ath> saveenv
ath> reset
https://www.youtube.com/watch?v=hi2D2MnwiGMhttp://colinoflynn.com/?p=706
• Master binary seems to “do it all” (webserver, parsing requests, etc.) at /usr/sbin/ipbridge
• FW Update routine at /usr/sbin/swupdate• References AES-CBC-256 decryption routine, which references encryption key
at /home/swupdate/certs/enc.k
• Two different bridges used same AES key (not really a big deal, as we already have unencrypted binaries since we have root).
Previous slide: power signature of first 64-byte block sent (sign-on info?).This slide: Power signature for remaining 64-byte blocks (delay varies).
@colinoflynn
oflynn.com
newae.com
Eyal Ronenhttp://www.wisdom.weizmann.ac.il/~eyalro/
Colin O’Flynn
Top Related